Banking, Cybersecurity

Still Using Windows 7 for ATMs? It Might Not Be as Risky as You Think

Posted on by Darla Liebl
woman using ATM
09
Jul

It’s been over five years since Microsoft officially ended extended support for Windows 7 in January 2020. For most business environments, continuing to use an unsupported operating system poses serious security risks. However, in the world of ATM management—where legacy hardware and software lifecycles are longer than typical IT infrastructure—the conversation is more nuanced.

Many community banks still operate older ATMs running Windows 7, and understandably so. A full ATM upgrade can run $50,000 per ATM, making it a huge investment for a local bank. Is it necessary to put that money into ATM upgrades, or could it be better used somewhere else? 

There are valid concerns surrounding compliance and exposure to known ATM vulnerabilities, but it’s important to recognize that ATM security isn’t based solely on patching. With the right controls in place, even unsupported systems can remain highly secure.

This post clarifies when continued use of Windows 7 might still meet ATM security system standards and highlights one very important exception.

The Reality of Windows 7 and ATM Compliance

Security guidance from bank associations like CBAK encourages institutions to modernize their operating systems wherever feasible. And rightly so—up-to-date platforms support modern security features, reduce compatibility issues, and make patch management far simpler.

That said, banks that maintain strict compensating controls on isolated ATMs may still align with current security guidelines. In these cases, a combination of network isolation, encryption, and physical safeguards offers a risk-mitigating strategy comparable to OS patching.

Compliance Note: While there are valid risks associated with using an unsupported operating system, isolated ATMs with proper controls may still meet security requirements under frameworks such as those recommended by the FFIEC.

The Isolated-ATM Exception

In scenarios where an ATM is completely air-gapped, running Windows 7 may still be acceptable if several specific controls are in place.
If an ATM is fully air-gapped, with all external network traffic limited to your ATM vendor’s management network, tamper alarms are maintained, and full-disk encryption is enabled, these controls can compensate for lack of Windows 7 patches. 

The only downside is that the ATM provider’s software updates and patches may not be compatible with Windows 7 in the near future. Even then, when you are forced to update your ATM, we recommend the same practices be followed—these are best practices even with modern ATM equipment. 

Key Controls for an Isolated ATM Security System:

  • Strict Network Isolation: No connection to public networks or general internet access; connectivity limited strictly to the ATM vendor’s network.
  • Tamper Detection Alarms: Active physical intrusion detection that notifies security personnel of unauthorized access.
  • Full-Disk Encryption: Prevents theft or exposure of sensitive data, even in the event of physical compromise.
  • Vendor-Restricted Management: Only ATM vendor software and update channels are permitted, blocking general-purpose access.
  • No Remote Access: No RDP or VPN capability outside of secured vendor channels.
  • Audit Logging and Monitoring: Logs should be captured and reviewed to detect anomalies in access or activity.
  • No Internet Access to the Public Internet: Lockdown communication to your vendor only.

In this setup, network lockdown becomes the primary defense. From a risk perspective, these restrictions offer a compensating control that is functionally equivalent—if not superior—to applying regular Windows 7 security patches in connected environments.

Be Aware of Evolving Threats: ATM Jackpotting

Legacy ATMs aren’t only vulnerable due to outdated operating systems. Increasingly, attackers are exploiting physical weaknesses in machines to launch cyber-physical attacks known as “jackpotting.”

April 2025 – ATM Jackpotting Hits Kansas
In Salina and Wichita, attackers used custom tools to breach ATM cabinets, disconnect legitimate dispensers, and deploy “black box” devices containing jackpotting malware. Within minutes, each machine dispensed its entire cash reserve—leading to six-figure losses in some cases.

Jackpotting threats bypass traditional software protections altogether. That’s why your ATM security system must incorporate:

  • Enhanced physical locks and hardened cabinets
  • Regular security audits and risk assessments
  • Security cameras and environmental sensors for stand-alone machines
  • Staff training on suspicious behavior detection
  • Advanced monitoring to detect unauthorized access or abnormal withdrawal patterns
  • Incident response plans specific to jackpotting events
  • Network segmentation
  • Restricted internet access
  • Alarmed top hat
  • Full disk encryption

Regardless of the operating system, a multi-layered defense strategy is essential for protecting your institution’s physical and digital assets.

When It’s Time to Upgrade

Even with proper isolation, Windows 7 ATMs have a shelf life. ATM software providers may eventually drop support for Windows 7, leaving institutions unable to apply vendor patches or updates. When that time comes, we recommend maintaining the same strict controls and hardening techniques, even on newer Windows 10 or 11 deployments.

Consider upgrading if:

  • Your ATM is no longer receiving vendor software or firmware updates
  • Remote management tools require newer OS compatibility
  • Your current configuration limits functionality or PCI DSS compliance
  • You plan to introduce additional features like contactless card readers or biometric access

Upgrades should be planned with long-term security and compatibility in mind.

Increase ATM Security with RESULTS Technology

A well-secured ATM doesn’t depend on its operating system alone. With the right controls, even older systems can still provide strong protection. However, the key is how the machine is configured and managed.

If your institution is still using Windows 7 in isolated, air-gapped environments with robust encryption and alarm systems, your current ATM security posture may already meet best-practice guidelines. That said, every institution should be planning for future upgrades—and should continually assess both digital and physical threats like jackpotting.

To explore ATM security strategies tailored for community banks, RESULTS Technology can help. Reach out today to get your questions about ATM security answered!

Darla Liebl

Darla Liebl is the Marketing Director at RESULTS Technology, where she leads strategy and content development to support community banks, credit unions, and financial services firms with compliance-focused IT solutions. With over a decade of experience in B2B marketing and a passion for cybersecurity and business growth, Darla creates educational content that helps small businesses make informed technology decisions. Her work focuses on translating complex IT topics into clear, actionable insights that resonate with both technical and non-technical audiences.